Developers of the Symfony PHP framework have reversed a recent change that inadvertently turned off protection against cross-site request forgery (CSRF) attacks.
Symfony is a popular PHP framework for web and console applications. The Symfony form component of the open source software features a CSRF protection mechanism that relies on a random token injected in the form.
This protection can be enabled or disabled by changing the configuration setup of the framework. Protection was enabled by default until a recent change in how the configuration was loaded meant that CSRF protection was turned off and needed to be explicitly enabled.
CSRF vulnerabilities creates a mechanism for attackers to trick users into carrying out actions they did not intend to perform. The problem arises in cases where it’s possible for different websites to interfere with each other.
Modern browsers such as Chrome as well as web development frameworks such as Symfony feature built-in protection against CSRF attacks.
Users of affected versions of Symfony (5.3.14 and earlier, 5.4.0-5.4.3, and 6.0.0-6.03) need to upgrade to patched versions, as explained in an advisory posted on GitHub.
The issue – tracked as CVE-2022-23501 – notched a CVSS score of 8.1. Because of its high impact early remediation is recommended.
Source: https://portswigger.net/daily-swig/bittersweet-symfony-devs-accidentally-turn-off-csrf-protection-in-php-framework